I'm looking at the password aging and account lock checks in
auth.c:allowed_user(), and specifically their behaviour on
HP-UX.
First, should this code be ifdef'd away if we're using PAM?
Next:
/* Check account expiry */
if ((spw->sp_expire > 0) && (days > spw->sp_expire))
return 0;
If I lock an account by entering too many incorrect passwords,
sp_expire does not change (it stays at -1). From the comment in the
man page, I would expect it to be set to 0, but even then the code
above would not catch it.
long sp_expire; /* # of days from 1/1/70 when account is locked */
If I lock at account with passwd -l sp_expire is still -1. I tried
this on Solaris as well and it seems sp_expire is only for account
expiration.
The solution on HP-UX 10.20 and 11.0 is to use the getprpw(3)
interface.
And:
/* Check password expiry */
if ((spw->sp_lstchg > 0) && (spw->sp_max > 0) &&
(days > (spw->sp_lstchg + spw->sp_max)))
return 0;
If I expire a password with passwd -f:
-f Force user to change password upon next login by
expiring the current password.
sp_lastchg is set to 0. The above code does not catch that. So
it seems we want something like this (untested):
/* Check password expiry */
if (spw->sp_lstchg == 0 || (spw->sp_max > 0 &&
days > spw->sp_lstchg + spw->sp_max)) {
debug("Password for user \"%.200s\" expired",
pw->pw_name);
return 0;
}
And there are no aging checks if you're not shadow/trusted. On HP-UX at
least, you can also age passwords without being configured as a trusted
system.
And we need to provide a way to change an expired password.
I'd like to look at building a password abstraction layer where all the
platform dependent password code resides. This includes various
interfaces to shadow and protected password information, password aging,
and password formats (crypt(), bigcrypt(), MD5). This will serve to
clean up auth-passwd.c and auth.c and probably some other stuff.
Is this a good direction?
On Wed, 20 Sep 2000, Kevin Steves wrote:> I'm looking at the password aging and account lock checks in > auth.c:allowed_user(), and specifically their behaviour on > HP-UX. > > First, should this code be ifdef'd away if we're using PAM?You are correct - done.> Next: > > /* Check account expiry */ > if ((spw->sp_expire > 0) && (days > spw->sp_expire)) > return 0;I have changed it to "spw->sp_expire >= 0".> sp_lastchg is set to 0. The above code does not catch that. So > it seems we want something like this (untested): > > /* Check password expiry */ > if (spw->sp_lstchg == 0 || (spw->sp_max > 0 && > days > spw->sp_lstchg + spw->sp_max)) { > debug("Password for user \"%.200s\" expired", > pw->pw_name); > return 0; > }How about: if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && (days > (spw->sp_lstchg + spw->sp_max))) return 0;> I'd like to look at building a password abstraction layer where all the > platform dependent password code resides. This includes various > interfaces to shadow and protected password information, password aging, > and password formats (crypt(), bigcrypt(), MD5). This will serve to > clean up auth-passwd.c and auth.c and probably some other stuff. > > Is this a good direction?I think so, this sort of abstraction (in the form of loginrec.c) has already made life much simpler. It may be of use for other projects as well. -d -- | ``The power of accurate observation is | Damien Miller <djm at mindrot.org> | commonly called cynicism by those who | @Work <djm at ibs.com.au> | have not got it'' - George Bernard Shaw | http://www.mindrot.org
Possibly Parallel Threads
- Patch for changing expired passwords
- Test for locked account in auth.c (bug #442).
- expire checks
- [PATCH #9] Password expiration via /bin/passwd.
- A error in auth.c of openssh-2.1.1p2 port on systems with a mixture of shadowed and non-shadowed passwords and Japanese Translations.